Traps on Booking and Airbnb Beware of these nasty vacation scams - how to protect yourself
During the vacation season, scammers are in high season on vacation portals such as Booking and Airbnb. Here are some current traps to watch out for before you book your hotel or vacation apartment.
Cyber criminals are not on vacation during the summer travel season. Check Point Research (CPR) has found a dramatic increase in cyber threats related to the hospitality and travel sector: 55 percent more domains related to vacations and vacations were created in May 2025 than in the same period last year. Out of over 39,000 registered domains, one in 21 was classified as malicious or suspicious.
This increase in fraudulent web domains is no coincidence. Cybercriminals are taking advantage of the seasonal upswing in travel planning to develop convincing phishing scams. These scams target consumers looking to book accommodations and secure travel deals, as well as hosts and property owners. From fake login pages with brand logos to spoofed email headers, the tactics are designed to mimic trusted services and steal login credentials or payment details.
Tips for a safe travel time
- Book directly with official sources. Always enter the website address manually or use trusted apps - avoid clicking on links in emails or messages.
- Double check URLs. Watch out for sneaky misspellings or unusual domain extensions (e.g. .today, .info) that are often used by scam sites.
- Activate multi-factor authentication (MFA). This adds an extra layer of security even if login credentials are compromised.
- Be careful with public Wi-Fi. Use a VPN when accessing sensitive information such as bank accounts or booking portals.
- Install endpoint security. Comprehensive mobile and desktop protection can detect phishing attempts and block malicious downloads in real time.
At the same time, the hospitality industry is facing an unprecedented wave of cyberattacks. In May alone, the average number of weekly attacks per business in this sector was 1,834, a remarkable 48% increase from May 2024 and a 78% increase in two years. Coordinated campaigns not only threaten individual travelers, but also pose a risk to hotel chains, booking platforms and other key players in the global tourism ecosystem.
Here are some recent examples.
Airbnb phishing scam - attempt to steal payment details
Check Point Research has identified a phishing website operating under the domain clflrm-relslrlv-today[.]com and pretending to be the Airbnb brand. This fraudulent website mimics the Airbnb payment page, including the official Airbnb logo, in an attempt to deceive users. By creating a false sense of legitimacy, victims are tricked into entering their payment details in order to steal sensitive information such as card numbers, CVV and expiration dates. The site is currently inactive.
Booking.com Scam - Owner Login - Fake ReCAPTCHA
Check Point Research has identified a malicious phishing domain site using ClickFix's fake ReCaptcha method and operating under the domain booking-lossitresn[.]com, registered in early May and designed to mimic the booking.com brand. This fraudulent website mimics the booking.com login page on the property owner's site. After the user enters their username, a pop-up window appears with a fake ReCAPTCHA asking the user to "confirm" that they are human. Once the user confirms that they are not a robot, the website prompts them to perform additional actions by pressing the Winkey + R, Ctrl + V and Enter keys. This inserts and executes a malicious command that triggers a PowerShell script and installs it on the victim's computer.
Booking.com phishing email campaign
Another phishing email campaign targeting booking.com property owners was recently discovered by CPR. The campaign included several nearly identical emails whose subject line stated that a guest had sent the host a message about a possible lost item from a previous visit. The senders of the emails were spoofed to appear to be a reservation number, but were actually email addresses that appeared to belong to corporate clients whose emails may have been compromised or spoofed.
Each email prompted the same action - verifying the guest's request for a possible lost item - which led to the same phishing link (https://knoji[.]digidip[.]net/visit?url=https://resrv-id89149[.]com). This redirected to the website resrv-id89149[.]com and finally to the subdomain booking[.]resrv-id89149[.]com. This website was registered on May 26 and is currently inactive. Based on the name of the last page, it is likely that this page also imitated the booking.com login page.
A closer look at the phishing emails reveals a wide variety of topics and content, with the same theme remaining very clear. Even the text on the button differs from email to email. This could indicate that the attackers are using generative AI tools to increase their efficiency and improve the social engineering aspects of the attacks.
